Showing posts with label Cloud Security Alliance. Show all posts
Showing posts with label Cloud Security Alliance. Show all posts

Monday, June 14, 2010

Top Reasons and Paybacks for Adopting Cloud Computing Sooner Rather Than Later

Transcript of a BriefingsDirect podcast on how adopting cloud computing models can lead enterprises to gain business and technology benefits.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: HP.

Dana Gardner: Hi, this is Dana Gardner, principal analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. Welcome to a sponsored podcast discussion on identifying the top reasons and paybacks for adopting cloud computing.

Like any other big change affecting business and IT, if cloud, in its many forms, gains traction, then adopters will require a lot of rationales, incentives, and measurable returns to keep progressing successfully. But, just as the definition of cloud computing itself can elicit myriad responses, the same is true for why an organization should encourage cloud computing.

The major paybacks are not clearly agreed upon, for sure. Are the paybacks purely in economic terms? Is cloud a route to IT efficiency primarily? Are the business agility benefits paramount? Or, does cloud transform business and markets in ways not yet fully understood?

We'll seek a list of the top reasons why exploiting cloud computing models make sense, and why at least experimenting with cloud should be done sooner rather than later. We have assembled a panel of cloud experts to put some serious wood behind the arrow leading to the cloud.

Please join me now in welcoming Archie Reed, HP's Chief Technologist for Cloud Security and the author of several publications including The Definitive Guide to Identity Management and a new book, The Concise Guide to Cloud Computing. Welcome back to the show, Archie.

Archie Reed: Thanks very much, Dana.

Gardner: We're also here with Jim Reavis, executive director of the Cloud Security Alliance (CSA) and president of Reavis Consulting Group. Welcome back to you too, Jim.

Jim Reavis: Pleasure to be here, Dana.

Gardner: And we are also here with Dave Linthicum, Chief Technology Officer of Bick Group and also a prolific cloud blogger and author. Welcome back to you as well, Dave.

Dave Linthicum: Thanks for having me, Dana.

Gardner: Let me go first to you, Jim, and then to Archie. At the RSA Conference, the CSA and HP announced some findings around "Seven Deadly Sins" for cloud adoption. Tell us a little bit about those Seven Deadly Sins, some of the negative issues, before we delve into some of the positive, some of the perhaps heavenly delights of cloud, if you will.

Foregone conclusion

Reavis: Thanks, Dana. The reason we produce these threat listings and do everything we are doing at CSA is that we believe that adopting cloud is a foregone conclusion. We're going to be spending a lot of time on this webcast talking about the benefits. So, it’s to help people do it in the most appropriate and secure way.

You can find the full listing of the Seven Deadly Sins at cloudsecurityalliance.org website, under "Top Threats." I'm not going to list them all in detail. We found that, when you think about going to the cloud, it’s not just security issues that enterprises are concerned about, but rather compliance. A lot of the transparency issues on what your provider is doing becomes something that we want to think about and be really concerned about.

Data is something that we identified as a key threat issue. You want to know where your data is. You want to know how it’s being controlled. You want to prevent it from being leaked or lost completely. Obviously, that goes with any type of computing, but it's certainly something, as we move to this new model, that you want to understand and be concerned about.

We certainly don’t think what we produced was alarmist, but rather to help people adopt cloud.



Then, there's just a variety of things where we want to understand how bad guys will start using the cloud, what new specific issues there are, and when we have the shared infrastructure, how bad people might be able to get in in some way or another and use some form of privilege escalation through virtualization or other sorts of techniques to be able to move into areas where they aren’t allowed.

It’s definitely food for thought. It’s part of your whole risk-management process, when you think about how to take a certain business initiative and use a certain cloud system to accomplish that goal. That’s the whole point of it, and we've gotten pretty good feedback. We certainly don’t think what we produced was alarmist, but rather to help people adopt cloud.

Gardner: Archie Reed, a lot of companies that I've talked to are trying to do this cost-benefit analysis about cloud and what they should be doing. In order to understand that, you have to look at what you need to do to prevent the risks from getting out of hand, but you also need to know about what you get in return for doing it well.

Let’s look at this cost-benefit analysis. We have a good sense of some of the negatives, what you need to do, and some of the investments. What are some of the high-level potentials? What are the paybacks that would balance out some of those risks and investments?

Reed: Thanks, Dana. Just to reiterate what Jim said previously around the Seven Deadly Sins, in order to understand what the cost benefits are, what the impact to an organization is going to be, you have to be aware of the risk analysis you are going to undertake that feeds into a cost-benefit analysis.

I just want to make a couple of points about the top threats, as we lead into these things. First off, it was all about awareness or enlightenment. Given the tone of our discussion today, the key was, as Jim said, not to be alarmist, but to create awareness.

If you don’t understand what’s going on inside the cloud environment that you're using, be it public or private, or some hybrid of those things, then you can't really get the benefits that you're looking for, because you haven’t taken into account the overall risks that are associated with that.

The same risks

I
nterestingly, when we look at this list, if we received any criticism for it at all, it was that it presents the same risks that any large, outsourced business service might encounter. Fundamentally, you need to follow good security practices.

So, when we go into all of this discussion around what is the benefit, we need to do our standard risk analysis. There’s nothing too much that's new here, but what we do see is that when you get to the cloud and you're doing that assessment, it comes down to agility.

Agility, in this sense, has the dimensions of speed at scale. For businesses, that can be quite compelling in terms of economic return and business agility, which is another variation on the theme. But, we gain this through the attributes we ascribe to cloud -- things like instant on/off, huge scale, per-use billing, all the things we tried to achieve previously but finally seem to be able to get with a cloud-computing architectural model.

The risks may go down, if it’s a private environment.



If we're going to do the cost-benefit analysis, it does come down to the fact that, through that per-use billing, we're able to do this in a much more fine-grain manner and then compare to the risks that we are going to encounter as a result of using this type of environment. Again, that's regardless of whether it’s public or private. The risks may go down, if it’s a private environment.

Factoring all those things in together, there's not too much of a new model in how we try to achieve this justification and gain those benefits.

Gardner: Dave Linthicum, we've talked about this a bit in the past and one of things that was memorable in talking with you is that you seem to think that we shouldn’t look at cloud computing through a cost savings lens. It may not even be cheaper or more cost efficient, but you had other, more pressing reasons for moving into the cloud.

First, if I'm correct, explain your rationale on the cost issue and then also what you think are some of the top motivators?

Linthicum: The mistake that a lot of people make is that they go directly for the OPEX versus CAPEX cost. In other words, they're sick of buying waves and waves of servers for their data centers and sick of paying co-los and all those sorts of things. They really want to get into a "pay per drink" cost model in how they consume compute cycles, storage, and all the other things that are kind of innate to the data center.

One of the issues is that public cloud computing providers typically -- and sometimes private cloud computing infrastructure that you set up -- are going to be more expensive than a lot of existing infrastructures. That’s misunderstood out there, unless you are like me and for the last two years have done the analysis over and over again.

However, the notion of business agility, which I heard mentioned, is really where the money is made. It's the ability to scale up and scale down, the ability to allocate compute resources around business opportunities, and the ability to align the business to new markets quickly and efficiently, without doing waves and waves of software acquisitions, setups, installs, and all the risks around doing that. That's really where the core benefit is.

If you look at that and you look at the strategic value of agility within your enterprise, it’s always different. In other words, your value of agility is going to vary greatly between a high tech company, a finance company, and a manufacturing company. You can come up with the business benefit and the reason for moving into cloud computing, and people have a tendency not to think that way.

Innate risks

The point I already made -- and I agree with the guests -- is that you have to weigh that benefit in line with the innate risks in moving to these platforms. Whether or not you are moving from on-premises to off-premises, on-premies to cloud, or traditional on-premises to private cloud computing, there’s always risk involved in terms of how you do security, governance, latency, and those things.

Once you factor those things in and you understand what the value drivers are in both OPEX and CAPEX cost and the trade-offs there, as well as business agility, and weigh in the risk, then you have your equation, and it comes down to a business decision. Nine times out of ten, the cloud computing provider is going to provide a more strategic IT value than traditional computing platforms.

Gardner: Going back to you, Jim, when we think about the benefits of cloud in general, it seems that most people gravitate to this as a way in which we can recast IT processes and functions. But, in a lot of ways, I think there’s just as much interest around using the cloud as a way of reaching audiences, providing services, linking up partners in an ecosystem or process marketplace in ways that hadn’t been possible before.

Do you think it’s a good idea for us to not just think about cloud as a benefit to efficiency and transformation at the IT level, but that in gaining cloud expertise, there's the opportunity to do things vis-à-vis supplying your customers, finding your customers, and even in joining with suppliers in a new way?

Reavis: I'd agree with that, and it echoes a little bit of what Dave has said. When you think about economics, what’s the core of economics? It's supply and demand. Cloud gives you that ability to more efficiently serve your customers. It becomes a customer-service issue, where you can provide a supply of whatever your service is that really fits with their demand.

Their business would not have been able to exist in the earlier era of the Internet. It’s just not possible.



Ten years ago I started a little minor success in the Internet dot-com days. It was called Securityportal.com. You all remember something called the "Slashdot effect," where a story would get posted on Slashdot and it would basically take your business out. You would have an outage, because so much traffic would go your way.

We would, on the one hand, love those sorts of things, and we would live in fear of when that would happen, when we would get recognition, because we didn’t have cloud-based models for servicing our customers. So, when good things would happen, it would sometimes be a bad thing for us.

I had a chance to spend a lot of time with an online gaming company, and the way they've been able to scale up would only be possible in the cloud. Their business would not have been able to exist in the earlier era of the Internet. It’s just not possible.

So, yeah, it provides us this whole new platform. I've maintained all along that we're not just going to migrate IT into the cloud, but we're going to reinvent new businesses, new business processes, and new ways of having an intermediary relationship with other suppliers and our customers as well. So it’s going to be very, very transformational.

Gardner: Similar question to you, Archie. When HP looks at the potential for cloud in its own right as a company, I should think that there is a lot of interest and efficiency for delivering services and providing a cloud capability for that. You've already got a lot of software-as-a-service (SaaS)-based services for application lifecycle management, and test and dev, and so forth. How do you see the difference between cloud as it affects IT and then cloud as it affects business?

Outcomes are core

Reed: At HP, when we talk to customers and even try to evaluate internally, we talk about this thing called business outcomes being core to how IT and business align. Whether they're small companies or large companies, it's providing services that support the business outcomes and understanding that ultimately you want to deliver.

In business terms, it's more processing of loan requests and financial transactions. Then, if that’s the measure that people are looking at what the business outcomes need to be, then IT can align with that and they become the service provider for that capability.

We've talked to a lot of customers, particularly in the financial industry, for example, where IT wasn’t measured in how they cut costs or how much staff they had. They were measured in incremental improvements on how many advances could be made in delivering more business capability.

In that example, one particular business metric was, "We can process more loans in a day, when necessary." The way they achieved that was by re-architecting things in a more cloud or service-centric way, wherein they could essentially ramp up, on what they called a private cloud, the ability to process things much more quickly.

Now, many in IT realize -- perhaps not enough, but we're seeing the change -- that they need to make this toward the service oriented architecture (SOA) approach and delivery, such that they are becoming experts in brokering the right solution to deliver the most significant business outcomes.

That becomes the latency that drives the lateness of the business process changes that need to occur within the enterprise.



The source of those services is less about how much hardware and software you need to buy and integrate and all that sort of thing, and more about the most economical and secure way that they can deliver the majority of desired outcomes. You don’t just want to build one service to provide a capability. You want to build an environment and an architecture that achieves the bulk of the desired outcomes. Does that make sense?

Gardner: Sure. Dave Linthicum, we talked about agility, let’s see if we can unpack that a little bit and get a little bit more detail. That’s kind of a general umbrella topic or a moniker.

When we think about business process, if you're focused at the business process level, and I think that’s what Archie was alluding to, rather than the supporting infrastructure or the applications, if we start composing business processes from services, rather than discrete applications, it seems to me we gain an opportunity to be responsive. That is to say, a business process can be examined and then perhaps some data analysis can be applied. Then, we can ask how do we do that better.

Does cloud computing allow us to then adjust a business process or even come up with innovations built upon existing processes in ways that traditional IT simply can’t or just can’t within the necessary time frame?

Linthicum: Yes. The latency that people are running into in traditional IT is not really aligning the business processes, because usually they have the ability to do that in one way or form, either in composites or a true business process layer, which already exists. It’s the ability to stand up the services that they need in terms of storage, compute, different things like risk analytics in the financial market, and how all those things basically tie together. That becomes the latency that drives the lateness of the business process changes that need to occur within the enterprise.

Additional capabilities

Cloud computing will provide us with some additional capabilities. It's not necessarily nirvana, but you can get at compute and you can get at even some of these pretty big services. For example, the Predictive API that Google just announced at Google I/O recently is an amazing piece of data-mining stuff that you can get for free, for now.

The ability to tie that into your existing processes and perhaps make some predictions in terms of inventory control things, means you could save potentially a million dollars a month, supporting just-in-time inventory processes within your enterprise. Those sorts of things really need to come into the mix in order to provide the additional value.

Sometimes we can drive processes out of the cloud, but I think processes are really going to be driven on-premises and they are going to include cloud resources. The ability to on-board those cloud resources is needed to support the changes in the processes and is really going to be the value of cloud computing.

That the area that’s probably the most exciting thing. I just came back from Gluecon in Denver. That is, in a sense, a cloud developers’ conference, and they're all talking about application programming interfaces (APIs) and building the next infrastructure.

When those things come online, become available, and we don’t have to build those things in-house, we can actually leverage them into a "pay per drink" basis through some kind of provider, buying those into our processes. We'll perhaps have thousands of APIs that exist all over the place, and perhaps even not even local data within these APIs.

That’s where the value of cloud computing is going to appear, and we haven’t seen anything yet. There are huge amounts of value being built right now.



They just produce behavior, and we bring them together to form these core business processes. More importantly, we bring them together to recreate these core business processes around new needs of the business.

Reed: It's the same for me. I was also at Gluecon this week, and there were several threads going on. Certainly the API thread was fascinating in terms of the sheer number of APIs that were being created and the various approaches being used in those things.

At the same time, one of the other tracks was on a whole set of concerns around the legal and security risks associated with piecing all this together. As it was the developers’ conference, the legal thread was less attended than the API thread. But, there is obvious concern about how all these things piece together, how we put the controls in place, and where we get those services from.

I definitely agree with Dave that some of the core processes, especially for larger and more security-sensitive organizations that consider their core IT to be their business processes, are going to be maintained internal to the organization. Some may be willing to put them out, but in majority of cases, we find people want to retain the IT internally.

But being able to reach out through those APIs in a safe and secure way, controlled way, to get data, analysis, and capabilities from within the cloud is definitely where we are headed. That Google analytics stuff is one example.

Internal or external

We've already seen in terms of analysis tools, the GIS stuff, geographical information, where people are just putting maps up and overlaying stuff. The data may be internal to them, but the capability of drawing a map and getting the geographical data comes from outside, and that’s created incredible types of what we call mashups, such that we expect and have seen in some cases.

Businesses are now doing their own mashups and they only get there by understanding how all these APIs, these security tenants, these legal requirements, come together. In some cases, they're ignoring those for expediency today, but ultimately the management of those things is going to be key here.

Linthicum: Just a short comment on that. One of the things that was not a message that was well received at Gluecon, being a bunch of developers, was that you need to do your stuff in the context of a good security strategy and a good governance strategy. So, how you are going to leverage these systems and policies and usage you put around it? That really becomes the core problem to solve before you go off and make this happen.

I don't know if you saw my keynote presentation I did the first day of the conference, but I went into a lot of those things. When I talked to some of the attendees, I noticed that really wasn’t well understood or even well received.

That’s a tad scary, because they're driving out in the market, creating and leveraging these APIs. In many instances, they're ungoverned. They're insecure. We don’t know exactly what they're doing, and they actually can create some vulnerabilities, which will open the risk that costs way more than any kind of benefits we're getting from cloud computing.

I think it requires them to translate their governance concepts and their controls into a new environment. It's going to take some real thinking to do that.



Gardner: Jim Reavis, let’s look into governance a bit. When companies start exploring more business process and agility efficiencies around cloud, they get exposed in ways that they wouldn’t if they were locked down inside their four walls.

But, becoming exposed, sharing data, exploring and using APIs from other parties, doesn’t this, in a sense, force these companies to adopt better methods and policies and start thinking about things that they probably should have been doing anyway? The question is, does cloud, by its nature, force organizations to become better at things like governance, policies, and best practices?

Reavis: I think it requires them to translate their governance concepts and their controls into a new environment. It's going to take some real thinking to do that.

I was one of the three, I guess, who didn’t go to Gluecon. So, thanks Dave and Archie for not inviting me. I guess it's because they're authors and I just read cartoons all the time, but I think the points there are very well made.

We're going to see the market provide the SOA governance and brokering tools that allow you to control a lot of these things and give the customer the ability to put in XAML, for example, and create some policies that they can embed and have some brokering involved, so that when the developers are out trying to create these mashups with a variety of different APIs, they can insert some sort of policy governance and have that look like another SOA-type service.

Frameworks and tools

We're not trying to dictate to the developers completely how they develop these new applications, but we are giving them some frameworks and tools that they can embed in the way they understand things, in the way they like to do business.

I want to quickly mention, though, that we've got a huge history behind us that tells us that internal networks are not locked down and secured. Having data on 100,000 machines, laptops, and every place else that has no controls over it, is a pretty perilous place to be.

Now, we understand that we're moving to a new platform. Let’s do our best to control that, but let’s try and deflate little bit that traditional IT is more secure than cloud. I'm really not ready to say that.

Reed: There are a couple of points I want to make, so that we're sure we're not just hand waving and all that. I think the incentives, the risks, and all those things change dependent on the type of business we're looking at.

Ultimately, it does require that you shore up a lot of your security and governance processes within organizations that probably don’t do security and governance processes as well as they think they do.



Certainly, when we talk to smaller organizations and mid-sized organizations as well, they're looking for the edge that they can gain in terms of cost and support and, in most cases, more security. In this case, they look for broader back-office solutions than perhaps some of the larger organizations, things such as email, account management, HR, and so forth, as well as front-end stuff, basic web hosting and more advanced versions of that.

We've implemented things like Microsoft Business Productivity Online Suite (BPOS) for many customers, especially in the mid range. They do find better support, better up time, better cost controls, and to Jim’s point, more security than they are able to provide for themselves.

When we get to talk to larger organizations, some are looking for this. We know, even in the financial industry, which you might consider to be one of the most security paranoid type environments there are outside of the three-letter agencies, they find that kind of thing appealing as well. Some of those have actually gone to use Salesforce.com for some of their services.

But, they're generally more concerned with the security stuff and they often find specific capabilities more appealing in a service model, such as data processing, data analysis, data retrieval, functional analysis, and things like that. The mashups are definitely more popular as a type of model or the service-oriented nature is more popular model with larger organizations that we talk to.

Gardner: What do you think Dave Linthicum? Is there an under-appreciated value to cloud in that, in moving to cloud models, you have to adopt the right processes around security, governance, and other risk mitigating activities that makes you a stronger, better company overall. That is to say, cloud is like New York -- if you can make it there, you can make it anywhere?

Linthicum: Ultimately, it does require that you shore up a lot of your security and governance processes within organizations that probably don’t do security and governance processes as well as they think they do.

Huge exposures

In some of the audits that I do, I often find huge exposures in how they do the on-prem systems. As they're moving into cloud, they push back on the security aspects of it all the time, and people are walking off on a daily basis with laptops full of customer data, critical data, and their IT. They just don’t understand it, because they don’t have the audits, the best practices, and the security mechanisms around that.

Moving into cloud is going to make people think in a very healthy, paranoid state. In other words, they are going to think twice about what information goes out there, how that information is secured and modeled, what APIs they are leveraging, and service level agreements (SLAs). They're going to consider encryption and identity management systems that they haven’t done in the past.

In most of the instances that I am seeing deploying cloud computing systems, they are as secure, if not more secure, than the existing on-premise systems. I would trust those cloud computing systems more than I would the existing on-premise systems.

That comes with some work, some discipline, some governance, some security, and a lot of things that we just haven’t thought about a lot, or haven’t thought about enough with the traditional on-premise systems. So, that’s going to be a side benefit. In two years, we're going to have better security and better understanding of security because of cloud.

Gardner: So, as we're now looking for even more benefits, paybacks, and improvements to your overall business by being a cloud adopter, how about at the competitive level? It seems to me that there are benefits to first movers.

In terms of first mover, late to market, or fast follower, there’s always a potential risk and benefit to any of those things.



It's been established by some of the best management consultants and business schools in the world that being the first to a market gives you very powerful benefits. Does cloud offer the opportunity for those who are willing to do the work and be aggressive and innovative an opportunity to enter markets in new ways?

One example is Apple computer. Apple has been aggressive. They don’t talk about cloud, but when you look at MobileMe, iTunes downloads, and the App Store, these to me are cloud-based services that have allowed Apple to grow mightily in the past few years, not just based on their devices, but based on their use of cloud.

So, there’s a first-mover advantage. Do you all agree -- and we will go around the panel -- that there’s a competitive benefit, at least for the foreseeable future, in your own markets, as enterprises have exploited cloud as a competitive cudgel. How about that, Archie?

Reed: In terms of first-mover, late-to-market, or fast-follower, there’s always a potential risk and benefit to any of those things. I agree that perhaps Apple has benefited, but I wouldn’t call them first movers in this space. I would say that they have been fast followers.

By that, I mean that even if you look at iTunes or the iPod itself, those things came after existing services already were in place. What they were able to do, if we take that as an example, was tie those together into an ecosystem that basically created their momentum to move forward.

Scaling really fast

The reality is not that the advantage is being able to be the first mover in cloud computing, but the fact that cloud allows you to scale and go big really fast. It allows you to sit in the fast-follower position and gain just as much as any first mover, because the gap between seeing a business opportunity and being able to deliver on that requirement or business opportunity is so much less than what it was previously.

You don’t have to ramp up huge amounts of services that take months. You can scale up in a matter of hours or days. As long as the wave isn’t so huge, and it rarely ever is, you can always get into that market space using this type of model.

Gardner: I'd like to pick up on one of the points you made about being able to establish an ecosystem. If you're exploiting cloud effectively, does that give you an advantage in how you can carve out an ecosystem, become a hub, and therefore be in a very profitable position within that ecosystem?

Reed: I'll take a quick stab at that. I think there's going to be a window for a number of years where that is the case. There will be businesses that are willing and able and can manage cloud-type environments to their benefit. But, eventually, the gaps become so small and the availability of these services online becomes so ubiquitous that I'm not sure how long this window goes for.

I don’t want to say that, in a few years, everybody will be able to deliver the same thing just as quickly. But for the moment, I think there’s a few forward thinking organizations that will be able to achieve that to great success.

There are going to be a lot of new capabilities that will only be accessible in this platform, and they're going to come a lot quicker.



Gardner: Jim Reavis, same to you. What about the competitive benefits that businesses should consider when evaluating cloud in terms of that cost benefit analysis?

Reavis: Businesses are so dependent on technology now and into the future, and we always try to stay innovative and competitive. If you just look at this from a developer standpoint, you don’t see a lot of new applications for the Commodore 64 anymore.

The organizations that are developing what they think is state-of-the-art, but it’s not cloud, are going to be struggling, because all of the neat, interesting new developments. It’s hard to even put your head around all of implications of compute-as-a-utility and all the innovation we are going to see, but we know it’s going to be on that platform.

If you think of this as the new development platform, then yeah, it’s going to be a real competitive issue. There are going to be a lot of new capabilities that will only be accessible in this platform, and they're going to come a lot quicker.

Five years from now

So, in terms of the first movers and the environment now, it’s going to look very different. Anybody who carved out some space right now and some lead in the market in cloud shouldn't feel too comfortable about their position, because there are companies we don't even know about at this point, that are going to be fairly pervasive and have a lot to say about IT five years from now.

Reed: I just want to make a point there, Jim. You can actually get a Commodore 64 emulator for the iPhone. So, there may be some new stuff coming up. I'm not sure, but it is possible.

Gardner: Yeah, there is the long tail in reverse. It’s backward-compatibility from the cloud.

Dave Linthicum, same question to you, the competitive benefits of being aggressive in cloud computing at some of the highest business issue levels.

Linthicum: We already talked about the business agility aspect of it, but ultimately, even as these younger companies who are leveraging more cloud than a lot of the older companies out there start to grow up, they are going to find that their IT CAPEX costs are, in many instances, nonexistent.

They are going to have some on-premise systems, but they are used to putting things in the cloud. They are Salesforce.com adopters early on. They're using Amazon now. They've figured out security and governance and ultimately they are going to have these very agile business systems that are able to run rings around their competition.

Some of the things we always talk about around enterprise architecture are going to kill the company, because they can’t do the acquisitions and they can’t move into market spaces.



I don’t think we're going to see this anytime soon, but I definitely think that by 2015 or 2016, you're going to see some businesses suffering from IT bloat. They're very static, monolithic systems, very difficult to change, and very fragile. Some of the things we always talk about around enterprise architecture are going to kill the company, because they can’t do the acquisitions and they can’t move into market spaces.

By the way, their new competitors that came out of nowhere get cloud computing because they've used it from the get-go. They're going to be able to leverage that as the strategic value that’s going to allow them to dominate the market. We're seeing some of this today in some of the smaller spaces, but it’s not very pronounced.

But, it’s going to be very pronounced to the point that business journals are going to talk about it, and a lot of companies are going to go out, because some of the folks are able to leverage technology for strategic IT advantage to beat them into the ground. Look at Wal-Mart. They leveraged IT for a huge strategic advantage to beat their competitors into the ground to lower their prices. We're going to see that a hundred times over in five years.

Reed: I'd agree. I can give you an example, Dana. I spoke to a very small group of individuals, fewer than 50. They're designers and architects, and they've come together to form this company. Their claim was that they didn’t need any IT anywhere, because they were using cloud services for everything.

Even the provisioning system, the controls about who had access to what, was all done in the cloud. All they needed was their big old Macs, the 27-inch Macs, and their huge HP screens. As long as they could get online, they were in business.

This small company's claim, when I was talking to them, was that they had just beaten out the largest established architectural firm in Ireland for a bid in Dublin. They had done that by being able to work round the clock, online, at all times, and deliver it to the customer in a much shorter time than anyone else was able to. They did it all through cloud services.

So, it’s quite compelling to see small businesses compete with the larger businesses, and unless big businesses understand what’s going on, we're going to see a few start to lose business in this sense.

Gardner: Well, I'm afraid we'll have to leave it there. Suffice it to say that we've clearly identified in the market, over the past several years, some significant hurdles and risks to cloud computing. But, some of these benefits also sound extremely compelling and almost not an option, when you consider the competitive issues. That cost-benefit analysis can easily come down on the side of a must-do, even if the risks are substantial.

We've been talking about identifying some of the top reasons and paybacks for adopting cloud computing and why you should perhaps do those sooner rather than later.

I want to thank our panel. We've been joined by Archie Reed, HP’s Chief Technologist for Cloud Security and the author of several publications including "The Definitive Guide to Identity Management" and "The Concise Guide to Cloud Computing." Thank you so much, Archie.

Reed: Thank you.

Gardner: We've also been joined by Jim Reavis, executive director, Cloud Security Alliance and president of Reavis Consulting Group. Thank you Jim.

Reavis: Thanks, Dana.

Gardner: Lastly, I also want to thank Dave Linthicum, CTO of Bick Group and a prolific cloud blogger, podcaster, and you said that you did your 100th cloud podcast recently Dave?

Linthicum: Just filed a 100th podcast, after two years.

Gardner: Congratulations. And also the author of several notable books. Thanks to you.

This is Dana Gardner, Principal Analyst at Interarbor Solutions. You've been listening to a sponsored BriefingsDirect podcast. Thanks for listening and come back next time.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. Sponsor: HP.

Transcript of a BriefingsDirect podcast on how adopting cloud computing models can lead enterprises to gain business and technology benefits. Copyright Interarbor Solutions, LLC, 2005-2009. All rights reserved.

You may also be interested in:

Tuesday, June 08, 2010

Focusing on Applications Key to Enabling Strong Security in Emerging Cloud Models

Edited transcript of a podcast and video panel presentation from the RSA Conference on bringing security best practices to cloud-based computing models.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. View the video. Sponsor: Akamai Technologies.

To view a full video of the panel discussion on cloud-based security, please go to the registration page.

Dana Gardner: We're in San Francisco at the RSA Conference to talk about security and cloud computing. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your host and moderator for today's special sponsored podcast and video presentation.

We're going to look at the intersection of cloud computing, security, Internet services, and Internet-based security practices to uncover differences between perceptions and reality.

Today's headlines point toward more sophisticated and large-scale and malicious online activities. For some folks, the consensus seems to be that the cloud model and vision are not up to the task when it comes to security.

We're going to examine why security concerns count, not only as a risk, but also as an amelioration of risk. We're going to talk about why security is not just part of the cloud -- or part of the enterprise -- but cuts across all aspects of IT.

When we think about security, we're not focused on distributed defenses only. We're not talking about the edge only. We need to talk about best practices across all aspects of IT.

And so join me in welcoming our panel. Here to look at the reality versus the perception is Chris Hoff, Director of Cloud and Virtualization Solutions at Cisco Systems.

Chris Hoff: Thanks, Dana. Great to be here.

Gardner: And Jeremiah Grossman, the founder and Chief Technology Officer at WhiteHat Security.

Jeremiah Grossman: Thank you very much for having me.

Gardner: Andy Ellis, the Chief Security Architect at Akamai Technologies.

Andy Ellis: Great to be here, Dana.

Gardner: As I mentioned, we're looking at security across a wider spectrum. People have honed in on the cloud and said, "Wow, that can't be secure. I can't put data and applications there and expect it to be mission-critical and reliable. I can't expect people won't be able to get to it if they want to, if they tried hard enough."

Is there a gap here between perception and reality, or are we not looking at the problem in the wrong context?

Huge gap

Ellis: There's a huge gap in what people think is secure and what people are doing today in trusting in the security in the cloud. When we look at our customer base, over 90 of the top 100 retailers on the Internet are using our cloud-based solutions to accelerate their applications--and what's more mission-critical than expecting money from your customers?

At Akamai, we see that where people are saying, "The cloud is not secure, we can't trust the cloud." At the same time, business decision makers are evaluating the risk and moving forward in the cloud.

A lot of that is working with their vendors to understand their security practices and comparing that to what they would do themselves. Sometimes, there are shifts. Cloud gives you different capabilities that you might be able to take advantage of, once you're out in the cloud.

Gardner: So, 12, 15 years ago, people were saying, "I can't use my credit card on the Web. I can't do ecommerce safely. I can't do retail sales." We've seen quite a bit of that. Tell us a little about Akamai and what you do and why that was relevant to the web then, and perhaps is relevant to the cloud now.

Ellis: At Akamai we have a network of over 61,000 servers, distributed in about 950 different networks around the world. Our customers use those servers to deliver content, accelerate their applications to their end users, and take advantage of the cloud-based computing inherent in our servers to gain capabilities they wouldn't have otherwise.

For instance, recently we added our web application firewall, which permits our customers, just at the click of a button, to have an application firewall running all the way out at the edge of their network. We look at that and say, "This is a great opportunity for our customers to quickly scale, deal with the cloud, and gain those advanced capabilities."

People, as you noted, used to say, "Oh, credit cards aren't secure on the Web. I will never do that." At the same time, you saw people using credit cards online. People weren't necessarily as happy about it until they gained a level of comfort. I think that's an area where people are a little resistant to change.

We see cloud computing, and everybody jumps to big heavyweight cloud computing, that virtualized servers are out at the edge. There is a whole spectrum of capabilities in between virtualized servers and just delivering some content that people can take advantage of and are doing today.

Gardner: Do you think that cloud computing is the problem, the solution, or both to security?

Ellis: I don't think it's either the problem or the solution. It's a piece of the solution. It's a piece of the problem. People look at how to secure applications. Sometimes, people get very comfortable with a given security model. They say, "This is how I've done business for the last year. This is how I will secure it."

You say, "Well, you could do business in a different fashion." Often, that's driven by a business owner inside a company. They see an opportunity to accelerate their revenues and reduce their cost, but it has to change the model that people think about. I don't see that as a problem of security. I think the bigger problem is that sometimes we're resistant to change.

Gardner: Jeremiah, WhiteHat Security takes it upon itself to find what's wrong with the security in certain organizations and you focus on it. First, tell us about WhiteHat and then also tell us what people should be worried about, when it comes to cloud computing. Is this a different problem set when it comes to security?

Assessing security

Grossman: WhiteHat Security is in the website vulnerability management business. Our job is to assess the security of a website, as it exists in an operational environment, to get the same point of view that a hacker would if they tried to break in.

Our job is to find those vulnerabilities ahead of time and help our customers fix those issues before they become larger problems. And if you look at any security report on the Web right now, as far as security goes, it's a web security world. Bad guys have broken into website after website after website and stolen everything that they possibly can. Our our job is to help stop that and measure the security of the web.

Gardner: What's different about cloud computing? As people look to do more applications and infrastructure in the cloud, should they be thinking about the same level of security that they would with their website -- or is this a different problem?

Grossman: An interesting paradigm shift is happening. When you look at website attacks, things haven't changed much. An application that exists in the enterprise is the same application that exists in the cloud. For us, when we are attacking websites and assessing their security, it doesn't really matter what infrastructure it's actually on. We break into it just as same as everything else.

What's different among our customer base is that they can't run to their comfort zone. They can't run to secure their enterprise with firewalls, intrusion detection systems, and encryption. They have to focus on the application. That's what's really different about cloud, when it comes to web security. You have to focus on the apps, because you have nothing else to go on.

Gardner: Chris Hoff, not only are you active in cloud solutions at Cisco, but you are a founding member of the Cloud Security Alliance (CSA). So, this is something you have been focused on. When we look at cloud services, we're talking about the livelihood of the cloud provider. If they don't do security well, they're not going to last very long.

Is there a different level of competency, a higher bar, for a cloud provider than for a typical enterprise? And is that part of the solution?

Hoff: That's an interesting question, because in many cases we use the term cloud and cloud computing synonymously. Depending upon the conversation you're having, cloud computing could be a noun, a verb, or an adjective. Why that's important is that there is no such thing as the cloud. There's not a single thing to which you could point to suggest that there is a common implementation and deployment model for cloud computing, which is an operational model, not a technology.

The reason that's important to your point is that, when you look at a cloud provider, they could be in the business of providing software-as-a-service (SaaS), which, in many cases, has emerged from plain old web apps that don't have many of the technical characteristics that one would associate with cloud computing -- elasticity, dynamism, self-service. They are just Internet connected web apps, SaaS. But then, there's a new generation of SaaS that's actually based on a lot of this flexible infrastructure that powers these very dynamic environments.

In that case, where a vendor who is a SaaS supplier manages the entire stack infrastructure, applications, and content, we have over time come to put a great deal of trust in the sanctity of the operations security, confidentiality, integrity, and availability of those services. There's not a whole lot new in that business.

For example, if you're trusting your sales figures context, and you have for years, that provider, whether they're cloud-based or not, has a particular set of service level agreements (SLAs) that they strive to hit, regardless of whether they brand themselves cloud or not.

Business' responsibility

The further down the stack you go, to platform and infrastructure-as-a-service (IaaS) providers, in many cases, those providers are in the business of maximizing availability, and give you the most robust, scalable, high performance, and available set of resources. But, confidentiality and integrity, the applications and data that Andy and Jeremiah were speaking to, are really still the responsibility of the business owner.

Those cloud providers -- cloud service and cloud computing providers -- are in the business of making sure that they can offer you really robust delivery. At this time, they focus there. We have a challenge to take everything we have done previously, in all these other different models, still do that, and deal with some of the implementation and operational elements that cloud computing, elasticity, dynamism, and all this fantastic set of capabilities bring.

We in the security industry in some way try to hold the cloud providers to a higher standard. I'm not sure that the consumer, who actually uses these services, sees much of a difference in terms of what they expect, other than it should be up, it should be available, and it should be just as secure as any other Internet-based service they use.

So we get wrapped around the axle many times in discussions about cloud, where a lot of what we are talking about still needs to be taken care of from an infrastructure and application standpoint.

Gardner: I want to focus on this notion of things being done differently now with cloud computing and its various permutations. You alluded to this as well, Andy, in terms of a paradigm shift.

Now, they have to tackle a really sticky wicket. Do you have a safe application wherever it lives?



As I understand it, if you're a SaaS provider, you have full control over the entire stack and you can control and manage security appropriately. If you're an enterprise, similarly, you have complete control over what happens inside your firewall, you can manage your perimeter. But now we're talking about cloud computing as a hybrid, where some aspects of what you are doing may be on-premises and other aspects might be on a single provider or a variety, and the network is the go-between.

What’s different now, Andy, about managing this from a security perspective? Who is in charge? Who can be in a governance role to oversee that spectrum across such a hybrid affair?

Ellis: Ultimately, the data owner, the business who is actually using whatever the compute cycles are. As Chris alluded to, it used to be that people would fall back on certain types of security to deal with their issues. Jeremiah also alluded to that as well.

That’s the challenge for people who are moving out to the cloud. That area may be in the purview of the provider. While they may trust the provider, and the provider has done the best they can do in that arena, when they still see risks, they can no longer say, "I'll just put in a firewall. I'll just do this." Now, they have to tackle a really sticky wicket. Do you have a safe application wherever it lives?

That’s where people run into a challenge: "It’s cloud. Let me make the provider responsible." But, at the end of day, the overall risk structure is still the responsibility of the business.

Gardner: At WhiteHat, if you were to look at the application, would you be able to go back and say to the service provider, "Listen, you don’t want to let that application in, because it hasn’t been architected properly." Do you think that the providers of cloud services need to be taking a governance role in deciding what applications should or shouldn’t be allowed to live in their environments, too?

It's not yours

Grossman: To piggyback on what Andy said, something has been lost. When you host an application internally, you can build it, you can deploy it, and you can test it. Now, all of a sudden, you've brought in a cloud provider, on somebody else’s infrastructure, and you have to get permission to test it. It’s not yours anymore.

Actually, one of the big things [to attend to] out there is a right to test. You have no right to test these infrastructure systems. If you do so without permission, it's illegal. So, you have lost visibility. You've lost technical visibility and security of the application.

When the cloud provider changes the app, it changes the risk profile of the application, too, but you don’t know when that happens and you don’t know what the end result is. There's a disconnect between the consumer, the business, and the cloud computing provider or whatever the system is.

Gardner: Chris, are we talking about more of a higher level of complexity, the complexity being how you secure a cloud-based activity versus on-premises activity? Is that complexity something that plays into risk, and therefore people should be more concerned about cloud-based activities? Are we getting ahead of ourselves?

Hoff: Going back to the statement I made about getting wrapped around the axle, what’s been interesting over the last year is that we as an industry, or just in general, have been so focused on what is cloud computing that we have forgotten the more important point, which is, how can we use cloud computing?

You alluded to a hybrid model -- on-premises, off-premises, enterprise, self-governance of controls, at the perimeter or the edge, and then outsourcing things with hosting and collocation and SaaS. The last time I checked, we have been doing that for about 10, 15 years, probably more.

Cloud computing has become a fantastic forcing function, because what its done to the business and to IT.



To your question, the complexity has come about when we've tried to adapt new or relevant advances in technology and associate them in some sort of branding. I like to say that if your security stinks before you move to the cloud, you will be pleasantly unsurprised by change, because it’s not going to get any better -- or probably not even necessarily any worse -- when you move to cloud computing.

It's important to really take a look at what you already do, in terms of practices; extranets, how you integrate business partners, and the hybrid model of access -- the blurring, with consumerization of IT. "Is this a work device, is this a home device?" Where do I access it from, how am I using the information?

Cloud computing has become a fantastic forcing function, because what its done to the business and to IT. We talked about paradigm shifts and how important this is in the overall advancement of computing.

The reality is that cloud causes people to say, "If the thing that’s most important to me is information and protecting that information, and applications are conduits to it, and the infrastructure allows it to flow, then maybe what I ought to do is take a big picture view of this. I ought to focus on protecting my information, content, and data, which is now even more interestingly a mixture of traditional data, but also voice and video and mixed media applications, social networks, and mashups."

Fantastic interconnectivity

T
he complexity comes about, because with collaboration, we have enabled all sorts of fantastic interconnectivity between what was previously disparate, little mini-islands, with mini-perimeters that we could secure relatively well.

The application security and the information security, tied in and tightly coupled with an awareness of the infrastructure that powers it, even though it’s supposed to be abstracted in cloud computing, is really where people have a difficult time grasping the concepts between where we are today and what cloud computing offers them or doesn’t, and what that means for the security models.

Gardner: It sounds as if the emphasis on security is being elevated. We used to look at securing components or parts, or maybe a stack -- if we were really good. Now, we're talking about securing a process. We're looking at security from a different vantage point and elevation. That might be a good thing. That might give us better security, because we are thinking about it as a function of a cloud-based activity. Does that make sense, Andy?

Ellis: Absolutely. There's a great initiative going on right now called CloudAudit, which is aimed at helping people think through this security of a process and how you share controls between two disparate entities, so we can make those decisions at a higher level.

If I am trusting my cloud provider to provider some level of security, I should get some insight into what they're doing, so that I can make my decisions as a business unit. I can see changes there, the changes I am taking advantage of, and how that fits my entire software development life cycle.

Cloud computing, depending on who you talk to, encompasses almost everything; your kitchen blender, any element that you happen to connect to your enterprise and your home life.



It’s still nascent. People are still changing their mindset to think through that whole architecture, but we're starting to see that more and more -- certainly within our customer base -- as people think, "I'm out in the cloud. How is that different? What can I take advantage of that’s there that wasn’t there in my enterprise? What are the things that aren’t there that I am used to that now I have to shift and adapt to that change?"

Gardner: So, we're here at RSA, perhaps the premier security show. We've been talking about a lot of interesting things this week. One of the things that jumped out at me was an announcement from the CSA that prodded enterprises to be thinking differently about security.

One of the things that really grabbed me was to help secure other forms of computing, being cloud-based in your security emphasis. How does that work? How is it that you can focus on cloud-based security and have it trickle down, if you will, and make you more secure across all of your IT activities?

Hoff: As I alluded to previously, cloud computing, depending on who you talk to, encompasses almost everything; your kitchen blender, any element that you happen to connect to your enterprise and your home life.

Two views

There are really two views, when it comes to defining cloud computing, as it relates to your question. There is the technician and the clinician’s view, which is very empirical, has lots of layer, stacked models, things that IT professionals can relate to in ways that allow us to break things down and be very analytical. They have delivery models, service models, and essential characteristics. It's a great thing to sit there and debate on Twitter.

What’s really interesting is the juxtaposition of the consumers' view, which basically and simply stated says that anything that connects to the Internet on any device that interacts with my information of data in any way is also cloud computing.

So, you look at those two things, you juxtapose, and you are not going to tell a your customer that they're wrong. You could try. It’s like jousting with windmills. But trying to reconcile those two things is very important, because, when we think about the opportunities here, the reality is that cloud computing offers us a tremendous set of benefits from the perspective of flexibility and agility. In some cases there are cost savings. Sometimes, it might cost more. That is just diametrically opposed.

Anything with the word dynamism in it, that’s dynamic, doesn’t compute quite literally, as it relates to how we think about security today. So, what’s happening ultimately is an adjustment on focusing in on the information.

Regardless of how I use the information, cloud computing, could secure other forms. Take your smartphone, for example. You think of that now as an amazingly rich and capable platform for a computing experience, which it is. Is that cloud computing? In many cases, people would say, yes, absolutely.

Consumers could care less whether it's running on a blade server, distributed in 1,000 countries, or in outer space. What they care is that the services are available.



We focus a lot on the backside -- moving parts of data centers, IaaS, and we get wrapped around the axle on how it's important to IT. Consumers could care less whether it's running on a blade server, distributed in 1,000 countries, or in outer space. What they care is that the services are available.

What we're learning today is that if we secure our information and applications properly and the infrastructure is able to deal with the dynamism, you will, by default, start to see derivative impacts and benefits on security, because our models will change. At least, our thinking about security models will change.

Gardner: So the expectation of the consumer is perhaps the starting point and you need to back up from there. The consumer’s expectation has been, "I want to be able to do everything I can possibly do on this mobile device, no matter where I am, and I don’t care what's between me and that application, that's somebody else’s problem." Here we are on the IT side, thinking, "Now we have to adapt to that."

Jeremiah, is there going to be a market advantage for companies that accept as their reality and their vision? Do we need to look at security through a different lens, to look at cloud computing as the future, recognize the expectations of the consumer and the business and channel partners that we deal with? If we do that right, are we going to be able to leapfrog our competition?

To view a full video of the panel discussion on cloud-based security, please go to the registration page.

Awareness of break-ins

Grossman: What I've seen in the last couple of years is that what drives security awareness is break-ins. Whether the bad guys are nation- or state-sponsored actors or whether they are organized criminals after credit card numbers, breaches happen. They're happening in record numbers, and they're stealing everything they can get their hands on.

Breaches make headlines. Headlines make people nervous, whether it's businesses or consumers. When a business outsources things to the cloud or a SaaS provider, they still have this nervous reaction about security, because their customers have this nervous reaction about security. So they start asking about security. "What are you doing to protect my data?"

All of a sudden, if that cloud provider, that vendor, takes security seriously and can prove it, demonstrate it, and get the market to accept it, security becomes a differentiating factor. It becomes an enabler of the top line, rather than a cost on the bottom line.

Gardner: Trust is a very important business advantage. We've seen that in the auto industry to a disadvantage recently. If you are in the Internet services side of things, trust is going to be perhaps assimilated with your brand for better or worse. Andy, what should our audience know about cloud-based security solutions in order for them to take advantage of these, but without being subjected to the risk?

Ellis: I like to look at security as being a business-enabler in three areas. The obvious one, we all think, is risk reduction. How can I reduce my risk with cloud-based security services? Are there ways which I can get out there and do things safer? I'm not necessarily going to change anything else about my business. That's great and that's our normal model.

There are a lot of services available through the cloud that can be used to protect your brand and your revenue against loss, but also help you grow revenue.



Security can also be a revenue-enabler and it can also be a protection of revenue. Web application firewalls is a great example of fraud mitigation services. There are a lot of services available through the cloud that can be used to protect your brand and your revenue against loss, but also help you grow revenue. As you just said, it's all about trust. People go back to brands that they trust, and security can be a key component of that.

It doesn't always have to be visible to the end user, but as you noted with the car industry, people build the perception around incidents. If you can be incident-free compared to your competition, that's a huge differentiator, as you go down into more and deeper activities that require deep trust with your end users.

Gardner: Let's get to the heart of the matter here. What is it that really should concern people, risk-wise, about moving to a cloud model? What is it technically that is different? And, if it's not technical, what is it about this paradigm shift of doing things differently that needs to engender some kind of a change? What is it that we are facing?

Hoff: What's interesting about cloud computing as a derivative set of activities that you might have focused on from a governance perspective, with outsourcing, or any sort of thing where you have essentially given over control of the operation and administration of your assets and applications, is that you can outsource responsibility, but not necessarily accountability. That's something we need to remember.

Think about the notion of risk and risk management. I was on a panel the other day and somebody said, "You can't say risk management, because everyone says risk management." But, that's actually the answer. If I understand what's different and what is the same about cloud computing or the cloud computing implementation I am looking at, then I can make decisions on whether or not that information, that application, that data, ought to be put in the hands of somebody else.

No one-size-fits-all

In some cases, it can't be, for lots of real, valid reasons. There's no one-size-fits-all for cloud. Those issues force people to think about what is the same and what is different in cloud computing.

Previously, you introduced the discussion about the CSA. The thing we really worked on initially were 15 areas of concerns, and they're now consolidated to 13 areas of concern. What's different? What's the same? How do I need to focus on this? How can I map my compliance efforts? How can I assess, even if there are technical elements that are different in cloud computing? How can I assess the operational and cultural impacts?

As an industry, the security industry, we come about with novel and interesting ways every once in a while. Sometimes they're big, sometimes small, revolutionary/evolutionary, incremental ways to solve some of these problems. As we're forced into these new models, we will continue to do so.

Businesses have the challenge of what this means to their staff -- how they transfer things and interact with legal and HR and their contractors. Some of it you've still got to build in, and some of it you use RFP and contracting. That’s an interesting dynamic that has been moved more and more to a model where you are distributing your applications and content.

Gardner: Is it fair to say that a security problem is fundamentally a management and organizational problem?

From a cloud computing standpoint, all the attacks are largely the same, whether one application is here or in the cloud.



Hoff: It ought to be treated or thought about that way. Part of the problem is that we don’t. We, as an industry, and in many cases those that are responsible for what they think is securing assets, immediately drop down into kind of a realm of technology. It becomes a discussion about tools, and that’s problematic, because for the business, the consumer, it's a different language. They don’t care. They just want to know that their information is safe.

Gardner: Jeremiah at WhiteHat Security, let's put on a black hat for a minute. Say you're a bad guy. Maybe you're a foreign organization, military, or government, or competitor. You want to get inside. You want to find out what's going on or steal some intellectual property. Maybe you want to get access to some email. People are doing cloud-based activities. Where are you going to go to look for those cracks, those weaknesses?

Grossman: Fortunately or unfortunately, from a cloud computing standpoint, all the attacks are largely the same, whether one application is here or in the cloud. You attack it directly, and all the methodologies to attack a website are the same. You have things like cross-site scripting, SQL injection, cross-site request forgery. They are all the same. That’s one way to access the data that you are after.

The other way is to get on the other half of web security. That’s the browser. You infect a website, the user runs into it, and they get infected. You email them a link. They click something. You infect them that way. Once you get on to the host machine, the client side of the connection, then you can leverage those credentials and then get into the cloud, the back-end way, the right way, and no one sees you.

They can't see you

That’s the interesting thing from a black hat perspective. They can't see you. When it's in a cloud operating model, they lose visibility. There are no intrusion detection systems. You really don’t know who accessed your data and, when there is no visibility, even though they think they deleted their data, they really didn’t. There is a great big undelete button in a lot of these systems. That’s what we're looking at.

Gardner: If we look at that now not through not a technical lens, but that organizational and management lens, when you're probing around as a bad guy, what's going to make it likely that you are going to find what you want? Is that going to be a lapse of best practices, or is it technology, both? How do you protect yourself?

Grossman: It's going to be that visibility question. It's how can the provider tell you or inform you when things change? What the security posture is of the organization? When somebody accesses my hosted email account, can you tell me when? Or even on the insider threat side, can they tell you how many people have access to your data in their organization; because they are just at risk to comprise on their desktops as you are. So those are all going to be very important questions to get visibility, not only at the point in time, but all the time.

Gardner: Andy Ellis, as a network services provider at Akamai, what is that you can do or perhaps take on a different role so that you can look out for your customers in such a way that those cracks, those weaknesses, are less likely?

Ellis: A lot of what we try to do is build a wrapper in a sandbox around each customer to give them the same, consistent level of security. A big challenge in the enterprise model is that for every application that you stand up, you have to build that security stack from the ground up.

The weak point is often the browser. Compromise the client, and you get access to the data.



One advantage cloud does give you is that, if you are working with somebody who has thought about this is, you can take advantages of practices that they have already instituted. So, you get some level of commonality. Then, if a customer sees something and says, "You should improve this," that improvement can affect an entire customer base. Cloud has a benefit there to match some of the weaknesses it may have elsewhere.

Historically, in the enterprise model, we think about data in terms of being tied to a given application. That’s not really accurate. The data still moves around inside an enterprise. As Jeremiah noted, the weak point is often the browser. Compromise the client, and you get access to the data.

As people move to cloud, they start to change their risk thinking. Now, they think about the data and everywhere it lives and that gives them an opportunity to change their own risk model and think about how they're protecting the data and not just a specific application it used to live in.

Gardner: Some of the thinking out there, as I observe, is around the idea that this data is stuff I can put in the cloud, because it's not that important to me, but that is very sensitive data, and I am going to keep that on-premises. Is that the wrong way to look at things?

Not thinking in depth

Ellis: I often think it is, because sometimes that shows people aren’t thinking about it in-depth. As we noted earlier, a large fraction of the Internet retailers are using cloud for their most mission-critical things, their financial data, coming through every time somebody buys something.

If you are willing to trust that level of data to the cloud, you are making some knee-jerk reaction about an internal web conference between 12 people and a presentation about something that frankly most people aren’t going to care about, and you are saying, "That’s too sensitive to be in the cloud." But your revenue stream could be in the cloud. Sometimes it shows that we think parochially about security in some places.

Gardner: We maybe break it up between transactions and data when we should be thinking about securing it generally?

Ellis: Yes.

Gardner: James Fallows, in a recent Atlantic magazine, points out that many security experts like yourselves, expect the equivalent of a 9/11 in terms of cyber security. Should there be such a breach that creates some sort of a reckoning or rethinking, will people gravitate toward cloud for security or away from it, in your opinion, Chris?

Hoff: I was asked actually to comment on that article. I wondered if the author has actually read the Verizon Breach Report, because there are mini 9/11s every single day.

Everyone likes to talk about catastrophe, Armageddon, and apocalypse. It's fun. It creates headlines. We have seen the emergence of everything, as Jeremiah pointed out, from nation, state-sponsored espionage, laded with political intrigue and geopolitical overtones. Is that not important? Is that not a 9/11? How do you measure the impact? Is that death? Is it millions of pieces of personal information released? Is it millions of credit cards? Because if it's any of those, that happens everyday.

Will there be a single event? Perhaps. Will it do much to change people moving to or from cloud computing? Probably not.



Gardner: Let’s say it's something that really grabs the attention or the imagination of the general public?

Hoff: Will there be a single event? Perhaps. Will it do much to change people moving to or from cloud computing? Probably not. What are you going to move to or back to? Depending upon your definition of cloud computing, you probably are engaged in many different variations of it and I can't fathom the economic cost of what it would mean to abandon an entire computing model.

What it might do is drive awareness. We're actually doing a very good job, especially given the innovation shown typically by the U.S. government, which in many cases you don’t think of as an early adopter, pushing the boundaries, pushing the thought processes, where a mistake, as it relates to security and information, could mean death. It could mean the comprise of national security.

If they're looking at the model, working backward from the worst sets of outcomes, and thinking about how, when applying risk, they should or shouldn’t move things, then the notion that translates back to the rest of the community. We're talking about how we secure a paradigm closer to its arrival on the scene than we ever have in any other model. We're much better prepared to deal with and solve some of these problems than we ever have been before.

So, I don’t believe that we will suffer a catastrophe that will cause people to completely abandon cloud. I think that’s ludicrous.

Gardner: Jeremiah, do you think that this notion of an awareness-event of some kind will change perceptions, or do you think that if it's good enough for the U.S. government and military, it should be good enough for corporate 2000 businesses and therefore it is going to continue to be good enough?

No singular event

Grossman: That's an interesting question. I don't think there is going to be a singular cyber event that's going to cause massive physical world destruction and loss of life. I am not a believer on that one. If that were to occur, it would probably be a precursor to actual war. A computer and cyber attack is just a weapon. There would have to be something that goes along with it.

It's not to say that security events or lapses in application security or application quality haven't caused loss of life before. Mistakes and bugs have done that, but from an organized crime standpoint, there is no money in that. They're not looking to down systems and lose control. They want control. They want visibility. They want it to stay up. They even want us to make money, because they will capture some of it.

Gardner: More of a parasite than an attack, right?

Grossman: Yeah, absolutely.

Gardner: The host needs to be well enough for the parasite to survive?

Grossman: They will grab as much as they can, but they are not looking to destroy the system. Even nation- and state-sponsored activities want command and control, they don't want destruction, at least not initially.

Every day there are attacks and every day there are challenges and every day people face them. That's a great sign.



Gardner: So, this notion of moderate risk, managed risk, acceptable risk ... Andy, are we there and will we continue to be there, and will cloud computing allow for that risk to be always an acceptable risk?

Ellis: In some cases, we are there, and in some cases, we are not. We're moving and we're definitely getting better. As Chris noted, cloud computing changes the model for people and, in some ways, it forces them to think differently. That helps them look at what they're doing today. Maybe we were accepting risk that was unacceptable before, and cloud computing just opens our eyes to that level of risk, and we say, "Let's do something a little different."

As for the question of that giant event that will change the way we think about risk? I often think that's wishful thinking, as macabre as that may sound, on the part of people who have had a hard time getting others to look at risk differently. They sort of hope that maybe people will change their mind if something really bad happens. But, the reality is that we can't wait for that, and in fact, we don't want that to happen. It's our job to make that harder for an adversary to do.

We don't want that and we don't want to wait for that to change people's minds. It's our job as a community to help people grow and to help them manage the risks that are appropriate to them, in appropriate fashion.

Gardner: So, where to get started? If you're thinking about security differently, if you recognize that the cloud is here to stay, that it has significant productivity benefits to you as an organization, that your end users, your consumers, are expecting this, and that their expectations are actually increasing rather than decreasing around what the cloud can provide, where do you begin? How do you change in order to keep up with this risk?

Understand your own business

Ellis: The first thing you have to do is to understand your own business. That's often the first mistake that security practitioners may make. They try to apply a common model of security thinking to very unique businesses. Even in one industry, everybody has a slightly different business model.

You have to understand what risks are acceptable to your business. Every business is in the practice of taking risk. That's how you make money. If you don't take any risk, you're not going to make money. So, understand that first. What are the risks that are acceptable to the business, and what are the ones that are unacceptable?

Security often lives in that gray area in between. How do we take risks that are neither fully acceptable nor fully unacceptable, and how do we manage them in a fashion to make them one or the other? If they're not acceptable, we don't take them, and if they are acceptable, we do. Hopefully we find a way to increase our revenue stream by taking those risks.

Gardner: Jeremiah, same question. Where do you start? How do you get the right balance and keep it?

Grossman: Andy is absolutely right. You have to understand your business and where the value is. One of the things to look at is what assets you hold. What is it worth to you? And, you begin from there.

How do we take risks that are neither fully acceptable nor fully unacceptable, and how do we manage them in a fashion to make them one or the other?



What's interesting about security spending versus infrastructure spending or just general IT spending is that it seems security is diametrically opposed to the business. We spend the most money on applications and our data, but the least amount of security risk spend. We spend the least on infrastructure relative to applications, but that's where we spend the most of our security dollars. So you seem to be diametrically opposed.

What cloud computing does, and the reason for this talk, is that it flattens the world. It abstracts the cloud below and forces us to realign with the business. That's what cloud will bring in a good way. It's just that you have to do it commensurate with the business.

Gardner: Cloud computing forces you to consider security from soup to nuts, from the beginning, the middle, and an ongoing value for your business, not just your IT.

Grossman: Exactly.

Gardner: Interesting. So. the question also to you, Chris, where do you get started? How do you keep risk managed and keep it there?

Giving up control

Hoff: Cloud computing ultimately is about gracefully giving up control. Control is not the same thing as trust, and is not the same thing as security, in terms of definition. When you look at the notion of trust, which is really what we talk about when we talk about any situation where you don't have ultimate ownership, or you don't have the ability to point to a particular location and say, that's where my app and data lives, trust is really made up of security, control, compliance, and service levels.

One things that we haven't brought up here, but that I think is critical, is that in many cases, when you basically give up control and you have the ability to enable self-service, the business has a capability to not even have to talk to you, if you are in security.

They can take your credit card, they can run and pull up a web browser, and they can go instantiate potentially hundreds of images on a public-facing cloud provider, using a shared image that doesn't use any of your security controls, never been vetted, was uploaded as a community service by somebody, and start instantiating your data on applications they had built or that they downloaded from somewhere, and you would never know.

So, the point here from where you get started, is that, when you talk about knowing your business, what that means is understanding whether you are a barrier to their ability to actually conduct business. Were you to tell them, "No, you can't use cloud computing," first of all, how would you stop them and how would you know? Getting engaged from a business and organizational perspective is very critical.

Cloud computing is not a destination. It's another tick along the time axis.



The way that I've seen success start to propagate its way through a company is when the CEO picks up The Wall Street Journal and says, "Oh, cloud computing. Andy, make that happen tomorrow. Why aren't we doing this? Everybody else is. Saves us money. It's green. It's whatever." This really gains a shared understanding of what cloud computing is.

The CSA guidance is fantastic. I've been in meetings with product managers, application architects, the development staff, the CIO, the CTO, and, believe it or not, business unit leaders, who say, "We're thinking about this cloud thing. What do we do? What does this mean to us? Anybody knows the pragmatic discussions of what they do today, how they do it, whether they think it's moving, what kinds of data, what kind of apps? And here is the risk. Do you have a risk assessment framework? Yes, we do. Great, use it."

Look at the guidance and understand what this means. Quite honestly, the end message in these briefings that I have with these customers is that cloud computing is not a destination. It's another tick along the time axis.

We think we are going to arrive at some point where we just stop, where cloud computing and whatever we have today is the end. It's simply not going to happen that way.

One of the things I like to draw attention to is that I try to time things and discussions in business terms, value terms, about three or four years ahead of the curve. We try to have discussions about where things are headed.

In my keynote at the CSA, I was asked to talk about the future of cloud, and I thought it was kind of absurd since we are barely in the present. But, what I talked about was the notion that where we are massively recentralizing data and applications in these very huge mega data centers and cloud providers, we are at the same time massively decentralizing applications and content on smartphone platforms, on Netbooks, on things like new iPad delivery devices.

You have two completely different security models you have to deal with. If folks don't understand that what's important again is the information or the content and how that affects the business, they're not going to be able to make rational decisions. Security won't make rational decisions. We'll end up in a car crash, and ultimately, the arbiter of all of this, the thing we haven't talked about yet, is compliance.

So, if the regulators don't understand, if the auditors don't understand it, as much as you might do a good job and be able to use cloud computing to your benefit, when they come in to do an audit and they don't understand the business value in what you have done, you can't show them you understand it ... game over.

That's a huge issue for us right now. We're measured not on security and how well we do security, but how we comply to standards, because we haven't done well in security, and that's fundamentally changing.

Gardner: Perhaps a distillation of that is to know yourself, and know yourself the way you're going to be tomorrow, because you are going to change and the world around you is going to change.

Hoff: Absolutely.

Gardner: Very good. We've been talking about cloud computing and security. We're here at the RSA Conference in San Francisco. I would like to thank our panelists; Chris Hoff, director of Cloud and Virtualization Solutions at Cisco Systems.

Hoff: Thanks very much.

Gardner: I appreciate your input. We have also been joined by Jeremiah Grossman. He is the founder and Chief Technology Officer at WhiteHat Security.

Grossman: Thank you very much for having me.

Gardner: Thank you. And also Andy Ellis, the Chief Security Architect at Akamai Technologies.

Ellis: Thanks Dana.

Gardner: I'm Dana Gardner, Principal Analyst at Interarbor Solutions. Thanks for joining this special sponsored video podcast. Come back next time for more information on cloud computing.

To view a full video of the panel discussion on cloud-based security, please go to the registration page.

Listen to the podcast. Find it on iTunes/iPod and Podcast.com. Download the transcript. View the video. Sponsor: Akamai Technologies.

Edited transcript of a podcast and video panel presentation from the RSA Conference on bringing security best practices to cloud-based computing models. Copyright Interarbor Solutions, LLC, 2005-2010. All rights reserved.

You may also be interested in: